Method for providing postal items with postal prepayment impressions

ABSTRACT

The invention relates to a method for providing postal items with postal prepayment impressions, characterized in that data are generated in the customer system that are encrypted in such a manner that the value transfer center is able to decrypt them. To this end, the data are transmitted from the customer system to the value transfer center. The value transfer center then decrypts the data and re-encrypts them with a code not known to the customer system and transmits the encrypted data to the customer system.

The invention relates to a method for providing mailpieces with postageindicia, whereby a customer system loads a monetary amount from a valuetransfer center via a data line, whereby the customer system controlsthe printing of postage indicia onto mailpieces and whereby the valuetransfer center transmits a data packet to the customer system.

A method of this generic type is known from international patentapplication WO 98 14907.

Another method is known from German Patent No. DE 31 26785 C1. With thismethod, a reloading signal intended for the franking of mailpieces isgenerated in a separate area of a value transfer center operated by apostal service provider.

The invention is based on the objective of creating a method forapplying postage to letters that is suitable for applying postage toindividual letters as well as for applying postage to bulk mail.

According to the invention, this objective is achieved in that data isgenerated in the customer system and encrypted in such a manner that thevalue transfer center is able to decrypt this data, in that the data istransmitted from the customer system to the value transfer center and inthat the value transfer center decrypts the data and then re-encryptsthe data with a key that is not known to the customer system andsubsequently transmits the data thus encrypted to the customer system.

The customer system is preferably configured in such a way that it isnot capable of completely decrypting data transmitted by the valuetransfer center, but a mail center in which the mailpieces are checkedfor correct franking, however, can decrypt this data.

The value transfer center can be configured in various ways. The termvalue transfer center encompasses known value transfer centers as wellas new forms of value transfer centers.

The invention relates especially to those value transfer centers thatcan be directly accessed via a data communication line such as theInternet or telephone lines of connected data servers.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the encryption takes place in the customer system using a randomnumber.

It is advantageous for the random number to be generated in a securitymodule to which a user of the customer system has no access.

A preferred embodiment of the method, a preferred configuration of thecustomer system and of the value transfer center are characterized inthat the random number is encrypted together with a session key issuedby the value transfer center and with a public key of the value transfercenter.

It is advantageous for the customer system to sign the data with aprivate key.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the private key is stored in the security module.

It is advantageous for the data to be transmitted from the customersystem to the value transfer center at the time of each request for amonetary amount.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the value transfer center identifies the customer system on thebasis of the transmitted data.

It is advantageous for the value transfer center to transmit the data ithas encrypted to the customer system.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the data transmitted by the value transfer center to thecustomer system has a first component that cannot be decrypted by thecustomer system and in that the data also has a second component thatcan be decrypted by the customer system.

It is advantageous for the part of the data that can be decrypted by thecustomer system to contain information about the identity of thecustomer system.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the part of the data that can be decrypted by the customersystem contains information about the actual monetary amount.

It is advantageous for a transmission of data from the customer systemto the value transfer center to only take place when a minimum amount isto be loaded into the customer system.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that a hash value is formed in the customer system.

It is advantageous for the hash value to be formed with the inclusion ofinformation about mailing data.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the hash value is formed with the inclusion of a temporarilystored random number.

It is advantageous for the hash value to be formed with the inclusion ofa loading procedure identification number.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the postage indicium contains logical data.

It is advantageous for the postage indicium to contain information aboutmailing data.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the logical data contains information about the encrypted randomnumber.

It is advantageous for the logical data to contain information about theencrypted loading procedure identification number.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the logical data contains information about the hash value.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the postage indicium contains information transmitted by thevalue transfer center as well as data entered by the document producer.

It is advantageous to carry out the method or to configure the customersystem or the value transfer center in such a way that the postageindicium contains a hash value that is formed on the basis of acombination of a value transmitted by the specification center and ofvalues entered by the document producer.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that they comprise the following process steps: in the customersystem or in a security module connected to the customer system, asecret is generated and subsequently transmitted to the value transfercenter, together with information about the identity of the documentproducer and/or of the customer system he/she is using.

It is advantageous to carry out the method or to configure the customersystem or the value transfer center in such a way that the valuetransfer center decrypts the encrypted random number and thenre-encrypts it again in such a way that only the mail center can decryptit and subsequently, the value transfer center generates a loadingprocedure identification number.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are character inthat the encrypted random number enters into the generation of theloading procedure identification number.

It is advantageous to carry out the method or to configure the customersystem or the value transfer center in such a way that the loadingprocedure identification number is transmitted to the security module.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that, in the security module, a hash value is formed on the basis ofthe loading procedure identification number and additional data.

It is advantageous to carry out the method or to configure the customersystem or the value transfer center in such a way that the postageindicium is created so as to contain the hash value.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the validity of postage indicia is verified in the mail center.

It is advantageous to carry out the method or to configure the customersystem or the value transfer center in such a way that the verificationin the mail center is performed by an analysis of data contained in thepostage indicium.

An advantageous embodiment of the method, a preferred configuration ofthe customer system and of the value transfer center are characterizedin that the verification station forms a hash value on the basis of datacontained in the postage indicium and checks whether this hash valuematches a hash value contained in the postage indicium and, if it doesnot match, then the postage indicium is registered as being forged.

Additional advantages, special features and advantageous refinements ofthe invention ensue from the representation below of a preferredembodiment with reference to the drawings.

The drawings show the following:

FIG. 1—a schematic diagram of a method according to the invention,

FIG. 2—the schematic diagram shown in FIG. 1 with emphasis on theparties involved in a franking procedure,

FIG. 3—interfaces of the franking system shown in FIGS. 1 and 2, and

FIG. 4—a schematic diagram of security mechanisms used in the method.

The following embodiment describes the invention with reference to anenvisaged use in the realm of the Deutsche Post AG. However, it is, ofcourse, equally well possible to use the invention for franking otherdocuments, especially for use in the realm of other service providers.

The invention provides a practicable new form of franking with whichcustomers can use a conventional PC with a printer and additionalsoftware and optionally hardware as well as Internet access to print“digital postage indicia” on letters, postcards, etc.

The customer can pay for the value of the printed-out postage indicia invarious ways. For example, a stored credit can be correspondinglyreduced. This credit is preferably stored digitally. Digital storage iseffectuated, for example, on a special customer card, on a standardizedbank card or in a virtual memory that is located, for instance, in acomputer of the user. Preferably, the amount of credit is loaded beforepostage indicia are printed out. In an especially preferred embodiment,the amount of credit is loaded by means of a direct-debit procedure.

FIG. 1 shows a fundamental sequence of applying postage according to theinvention to mailpieces. The method comprises several steps that canpreferably be complemented to form a complete cycle. Although this isvery advantageous, it is not necessary. The number of steps, namelyeight, presented below is similarly advantageous, but likewise notnecessary.

-   1. With a PC, customers of the postal service provider (optionally    using additional software/hardware, for example, a microprocessor    chip card) load a value amount via the Internet.-   2. A collection procedure is carried out on the value amount, for    example, by debiting the account of the customer.-   3. Valid postage values in any desired amount can be printed out    from the value amount that is stored in an electronic purse of the    customer via his/her own printer until the credit is used up.-   4. The postage indicium printed by the customer contains readable    information as well as a machine-readable bar code that is used by    the Deutsche Post to verify the validity.-   5. The mailpiece to which postage has been applied can be dropped    off via the modalities offered by the Deutsche Post, for example,    mailboxes and post office branches.-   6. The bar code indicated in the postage indicium, preferably a 2D    bar code, is read in the mail center by means of an address reading    machine. During the processing, the validity is verified on a    logical plausibility basis.-   7. The data read from the postage indicium is transmitted, among    other things, for purposes of payment assurance, to a background    system.-   8. A comparison is made between the loaded account amounts and the    processed mailings in order to detect misuse.

Preferably, several parties are involved in the franking procedure,whereby an especially advantageous breakdown of the parties is shown inFIG. 2.

The parties shown are a customer, a customer system and a postal serviceprovider.

The customer system comprises the hardware and software used by thecustomer for the PC franking. The customer system interacts with thecustomer to regulate the loading and storing of the account amounts.Details pertaining to the customer system regulate the approvalprerequisites.

The postal service provider carries out the processing of the mailingsand performs the necessary payment assurance. A value transfer centercan be configured in various ways.

-   -   The operation of one's own value transfer center, in conjunction        with the security architecture of the PC franking, allows the        use of symmetrical encryption procedures in the postage        indicium. As a result, the requisite verification time of the        validity of a postage indicium is considerably reduced. A        prerequisite for the use of a symmetrical procedure is the        operation of the value transfer center and of the mail centers        by the same organization. Such an accelerated processing would        not be possible if asymmetrical security elements were used in        the postage indicium.    -   Realization of all necessary security requirements, among other        things, in order to avoid internal and external manipulations:    -   Unlike with application of postage by the sender, the        communication takes place via the open and potentially        non-secure Internet. Attacks on the communication paths and on        the Internet server as well as internal possibilities of        manipulation call for higher security precautions. These are        primarily in the interest of the Deutsche Post and its        customers.    -   An improvement of the security is possible through a central        management of cryptographic keys specified by the postal service        provider. The keys that are relevant for the processing in the        mail center can be replaced at any time by the Deutsche Post and        the key lengths can be changed.    -   Verifications for purposes of payment assurance are possible by        means of a uniform verification procedure and can be carried out        at any time.    -   New contractual participants and amendments to agreements can be        quickly communicated to all necessary systems of the postal        service provider.

Payment assurance is preferably carried out by compiling components ofthe postage indicia.

For this purpose, agreement data (customer/customer system data) istransmitted from a central database to the system that is needed for theverification of the proper payment assurance.

The scope of the data to be stored is determined by the postal serviceprovider, especially the operator of the postal service, taking intoaccount the statutory regulations such as the German Postal ServiceProvider Data Protection Regulations(Postdienstunternehmensdatenschutzverordnung—PDSV). Fundamentally, theseregulations state that all data may be stored that is needed for theproper determination, accounting and evaluation as well as for theverification of the accuracy of retrospective payments. As a matter ofprinciple, this constitutes all mailing information without the name ofthe recipient and optionally the street number or P.O. Box of therecipient.

A background system checks whether the monetary amounts present in thecustomer system are, in fact, reduced by the monetary amounts that areprinted out as postage indicia.

Compiling agreement data is preferably effectuated by a compilationsystem.

Agreement data for PC franking with the individual master data of thecustomer and of the customer system (e.g. security module ID) isprovided and maintained by a database that can be used, for example, forother types of postage application. When an existing postage applicationdatabase is used, for example, a separate partial area is used for PCfranking in the database. The data is provided to the value transfercenter and to the system for payment assurance in the mail center.

It is especially advantageous for the system to comprise interfaces thatallow a data and information exchange with other systems.

FIG. 3 shows three interfaces.

The interfaces are designated with “postage indicium” and “collection”.Account data is exchanged between the customer system and the postalservice provider via the account interface. For example, a sum of moneycan be loaded via the account interface.

The franking interface determines how postage indicia will be configuredso that they can be read and verified in mail or freight centers.

In the implementation of the interfaces shown in FIG. 3, the accountinginterfaces and the collection interface are separate from each other.However, it is likewise possible for the accounting interface and thecollection interface to be combined, for example, in the case ofaccounting via bank cards, credit cards or digital money, especiallydigital coins. The collection interface determines how the monetaryamounts transmitted via the accounting interface will be invoiced. Theother parameters of the franking method do not depend on the selectedcollection interface but an efficient collection interface increases theefficiency of the entire system. Preferred collection modalities aredirect debits and invoices.

Below, there will be a presentation of how the security objectives ofthe franking method are achieved through application-specific,content-based security requirements.

The focus of this concept is aimed here at the technical specificationof the security requirements made of the system. Processes that are notsecurity-relevant such as registering, canceling and re-registeringcustomers, which do not have to be carried out via the customer system,can be specified separately. Technical processes between the customersystem and the customer system producer are preferably specified in sucha way that they meet the security standard described here.

The following security objectives are achieved by the method accordingto the invention.

-   -   Fantasy markings and smears, that is to say, postage indicia        that contain no plausible information about the mailing or that        are unreadable for other reasons, are recognized as being        invalid.    -   Duplicates, that is to say, exact copies of valid postage        indicia with plausible information about the mailing can be        recognized retrospectively.    -   An increase in the amount of credit available to the customer        system is prevented. Changes in the amount of credit can also be        recognized retrospectively and can also be substantiated        retrospectively, preferably with reference to a journal list.    -   Unauthorized uses are recognized and, in case of unauthorized        use by third parties, are not charged to the legitimate user.    -   This also includes the misuse of properly transmitted electronic        data or valid postage indicia that were properly generated        without the knowledge of the legitimate user.    -   This includes the misuse of the customer system through program        changes.    -   This includes the unauthorized use of the customer system by        foreign software agents via the Internet.    -   This includes the acquisition of PINs by means of attack        software (Trojan horses).    -   This includes overload attacks (Denial-of-Service Attacks, DoS),        for example, by simulating the identity of the value transfer        center or manipulating the loading procedure in such a way that        money is debited but no credit is augmented.    -   Unauthorized loading of account amounts is made impossible        through technical precautions in the value transfer center.        Unauthorized loading of account amounts could take place, for        example, through:        -   Simulating the identity of the postal value transfer center            so that the customer can increase his/her own purse in the            customer system.        -   Simulating a certified customer system by a manipulated or            fictitious customer system in such a way that the            perpetrator acquires knowledge about security-critical            secrets of the security module and can then surreptitiously            create forgeries.        -   Intercepting the legitimate communication between a customer            system and the value transfer center and replaying this            communication with fraudulent intent (replay attack).        -   Manipulation of the communication taking place between the            customer system and the value transfer center in real time            (incoming and outgoing data streams in the customer system)            in such a way that the customer system assumes a higher            loaded value amount than the value transfer center does.        -   Misuse of customer identification numbers in such a way that            third parties load value amounts at the expense of a            customer.        -   Incomplete cancellation transactions.

The first two of these security problems are essentially solved by thesystem concept and through measures in the overall system; the latterthree are preferably solved by the implementation of software andhardware of the security module.

Preferred embodiments of hardware that enhance the security standard aredescribed below:

-   -   Fundamental properties of the hardware        -   1. All encryptions, decryptions, re-encryptions, signature            computations and cryptographic verification procedures are            carried out in areas of a cryptographic security module in            the customer system that are specially protected against            unauthorized access. The appertaining keys are likewise            stored in such security areas.        -   2. Security-relevant data and sequences (for example, keys,            programs) arm protected against unauthorized changes and            secret data (for example, keys, PINs) is protected against            unauthorized reading. This is preferably effectuated by the            following measures:            -   the design of the security module, possibly interacting                with security mechanisms of the software of the security                module,            -   loading programs into the security module only when the                loading procedure is being established or                cryptographically secured,            -   cryptographic securing of the loading of                security-relevant data, especially of cryptographic                keys.            -   Secret data in security modules also has to be protected                against being read out by means of attacks that entail                the destruction of the module.        -   a. The protection of data and programs against change or            against being read out in the security module has to be so            effective that, during the service life of the module,            attacks involving a reasonable effort are not possible,            taking into account the fact that the effort for a            successful attack has to be weighed against the benefit that            can be derived from this.        -   b. It must Lot be possible to carry out undesired functions            by means of a security module.            -   Undesired auxiliary functions and additional data                channels, especially interfaces, that unintentionally                pass on information (side channels) are prevented.

Through the design of the security module, it is ensured that anattacker cannot use interfaces that are intended for other purposes toread out information about data and keys, which are to be kept secret.

The presence of such channels of, namely, side channels, is checked byappropriate tests. Typical possibilities that are checked are:

-   1. Single Power Attack (SPA) and Differential Power Attack (DPA),    which attempt to deduce secret data from changes in the power    consumption during cryptographic computations.-   2. Timing Attacks that attempt to deduce secret data from the    duration of cryptographic computations.

Preferred properties of the data processing are presented below:

-   -   Sequence control:        -   It is especially advantageous for a sequence control to be            carried out. This can be done, for example, by means of a            state machine, for example, in accordance with Standard FIPS            PUB 140-1. This ensures that the sequences of the specified            transactions and the security-relevant data of the system            used for this purpose cannot be manipulated.

The involved entities, especially the user, must not be misled by asecurity module about the sequences of the transactions.

If, for example, the procedure of loading a value amount is carried outin the form of several partial procedures with individual callinstructions of the security module, then the sequence control mustensure that these partial procedures are only carried out in thepermissible order.

The status data that is used for the sequence control issecurity-relevant and is therefore preferably stored in an area of thesecurity module that is secured against manipulation.

-   -   Message integrity:

-   1. All security-relevant information in the messages is protected    against unauthorized changes before and after being transmitted into    the components of the system.

-   2. Changes to security-relevant information during the transfer    between components of the chip-card-aided payment system are    recognized. Appropriate reactions to integrity breaches must be    generated.

-   3. The unauthorized importing of messages is recognized. Appropriate    reactions to re-imported messages must also be generated.

The fact that unauthorized changes and the re-importing of messages canbe recognized is ensured for the standard messages of the system by thedefinitions of the system concept. The software of the security modulemust ensure that the recognition does indeed occur and that theappropriate reaction is generated. For security-relevant,producer-specific messages (for example, within the scope ofpersonalizing the maintenance of the security module), appropriatesuitable mechanisms are specified and employed.

The information relevant for securing the message integrity ispreferably stored in an area of the security module that is securedagainst manipulation. Such information includes especiallyidentification and authenticity features, sequence counters or monetaryamounts.

-   -   Secrecy of PINs and cryptographic keys

-   1. Although the PIN should not be transmitted in plain text outside    of secured areas, preferably the plain-text transmission during PC    franking is tolerated for reasons of the user-friendliness of the    entire system and the use of existing, unsecured hardware components    in the customer system (keyboard, monitor). However, the local    system components in which the PINs are processed or stored in plain    text should be kept to a minimum. An unsecured transmission of the    PINs must not take place.

-   2. Cryptographic keys must never be transmitted in plain text via    electronic transmission paths in an unsecured environment. If they    are used or stored in system components, then they must be protected    against unauthorized reading out and modification.

-   3. No system component must offer a possibility to determine a PIN    on the basis of an exhaustive search.    -   Recording in a journal

-   1. Within the customer system, all data is recorded that is needed    for the reconstruction of the appertaining sequences. Moreover,    error cases that arouse a suspicion of manipulation are also    recorded.

-   2. Stored journal data must be protected against unauthorized    changes and it must be possible to transfer it authentically to an    evaluating entity.    -   Processing of other uses        -   If other applications are concurrently processed in security            modules, then this must not compromise the security of the            PC franking system.

The following measures can further enhance the data security:

-   -   Deletion of secret data from temporary memory media    -   Secure implementation of producer-specific functions (e.g.,        within the scope of personalization); for instance, the use of        Triple-DES or a secure symmetrical process for encrypting secret        personalization data, incorporation of plain text keys in the        form of divided secrets (e.g. key halves) according to the        four-eye principle    -   No non-secure auxiliary functions may exist (for example,        encrypting or decrypting or signing of freely selectable data        with keys of the system); no switching of the function of keys        must be possible.

Additional Aspects

-   -   Aside from the security modules used in the customer systems,        other security modules also have to be examined: in particular,        the security modules of the various certification stations (CAs)        of the producers of security modules have to be examined.    -   The PC-related part of the customer software also has to be        examined in terms of its security-relevant tasks (e.g. PIN        input).    -   The producer of a customer system must provide a process that        guarantees the secured transmission of the PIN from security        modules to the users (for example, PIN letter mailing). The        security of and compliance with such a concept must be examined.    -   Security of the producer environment, especially key        incorporation, etc.; security officer, more general: approval of        the organizational security measures of producers according to a        specified process. In particular:        -   Key management        -   1. Arrangements have to be put in place pertaining to the            distribution, administration and possibly regular change and            replacement of keys.        -   2. Keys that are suspected of having been compromised must            not be used anywhere in the entire system.

Preferred measures in the production and personalization of securitymodules are:

-   1. The production and personalization (initial incorporation of    secret keys, possibly user-specific data) of security modules have    to take place in a production environment that prevents    -   keys from being compromised during the personalization,    -   the personalization procedure from being carried out        fraudulently or without authorization,    -   unauthorized software or data from being incorporated,    -   security modules from being removed.-   2. It must be ensured that no unauthorized components that perform    security-relevant functions can be introduced into the system.-   3. The life cycle of all security modules has to be continuously    recorded.    Explanation:

The recording of the life cycle of a security module comprises:

-   -   production and personalization data,    -   location in time and space,    -   repair and maintenance,    -   shutdown,    -   loss or theft of the data storage media containing the security        module such as files, dongles, crypto, servers or chip cards    -   production and personalization data,    -   introduction of new applications,    -   change in applications,    -   change in keys,    -   shutdown,    -   loss or theft.        Security Architecture

For the PC franking, a fundamental security architecture is providedthat combines the advantages of various existing approaches and thatoffers a high level of security with simple means.

The security architecture preferably comprises essentially three unitsthat are shown in a preferred arrangement in FIG. 4:

-   -   A value transfer center in which the identity of the customer        and his/her customer system are known.    -   A security module which, as hardware/software that cannot be        manipulated by the customer, ensures the security in the        customer system (e.g. dongle or chip card with off-line        solutions or equivalent server with on-line solutions).    -   A mail center where the validity of the postage indicia is        checked or where manipulations to the value amount as well as to        the postage indicium are recognized.

The individual process steps that are carried out in the value transfercenter, customer system and mail center will be shown below in the formof a schematic diagram. The precise technical communication process,however, diverges from this schematic diagram (e.g. severalcommunication steps to achieve a transmission shown here). Inparticular, in this depiction, the confidentiality and integrity of thecommunication between the identified and authenticated communicationpartners is a prerequisite.

Customer System

-   1. Within the security module, a random number that the customer    does not come to know is generated and temporarily stored.-   2. Within the security module, the random number is combined and    encrypted together with an unambiguous identification number    (security module ID) of the customer system, or of the security    module, in such a way that only the value transfer center is capable    of performing a decryption.    -   In an especially preferred embodiment, the random number,        together with a session key previously issued by the value        transfer center and with the utilization data of the        communication (request for establishing an account amount), is        encrypted with the public key of the value transfer center and        is digitally signed with the private key of the security module.        This prevents the request from having the same form each time an        account amount is loaded and from being able to be used for the        fraudulent loading of account amounts (replay attack).-   3. The cryptographically handled information from the customer    system is transmitted to the value transfer center within the scope    of loading an account amount. Neither the customer nor third parties    can decrypt this formation.

In actual practice, use is made of asymmetrical encryption with thepublic key of the communication partner (value transfer center orsecurity module).

Along with the possibility of a preceding exchange of keys, anotheroption is a symmetrical encryption.

Value Transfer Center

-   4. In the value transfer center, among other things, the random    number that can be assigned to the identification number of the    security module (security module ID) is decrypted.-   5. Through a request in the postage application database, the    security module ID is assigned to a customer of the Deutsche Post.-   6. In the value transfer center, a loading procedure identification    number is formed that contains parts of the security module ID, the    actual account amount, etc. The decrypted random number is encrypted    together with the loading procedure identification number in such a    way that only the mail center is capable of performing a decryption.    The customer, on the other hand, is not capable of decrypting this    information. (The loading procedure identification number is    additionally encrypted in a form that can be decrypted by the    customer system). In actual practice, the encryption is carried out    with a symmetrical key according to TDES which is exclusively    present in the value transfer center as well as in the mail centers.    Symmetrical encryption is used here because of the demand for fast    decryption procedures during the processing.-   7. The encrypted random number and the encrypted loading procedure    identification number are transmitted to the customer system.    Neither the customer nor third parties can decrypt this information.    Through the general administration of the postal service provider's    own, preferably symmetrical, key in the value transfer center and in    the mail centers, the key can be exchanged at any time and key    lengths can be changed as needed. This is a simple way to ensure a    high level of security against manipulation. In actual practice, the    loading procedure identification number is additionally made    available to the customer in a non-encrypted form.    Customer System-   8. Within the scope of creating a postage indicium, the customer    compiles the mailing-specific information or mailing data (e.g.    value of postage, postal class, etc.) that are transmitted into the    security module.-   9. Within the security module, a hash value is formed, among other    things, on the basis of the following information    -   excerpts from the mailing data (e.g. value of postage, postal        class, date, postal code, etc.),    -   the temporarily stored random number (which was generated within        the scope of the loading of an account amount)    -   and optionally the loading procedure identification number.-   10. The following data, among other things, is integrated into the    postage indicium:    -   excerpts from the mailing data in plain text (e.g. value of        postage, postal class, date, postal code, etc.),    -   the encrypted random number and the encrypted loading procedure        identification number from the value transfer center and    -   the hash value formed within the security module on the basis of        the mailing data, of the random number and of the loading        procedure identification number.        Mail Center-   11. In the mail center, firstly, the mailing data is checked. If the    mailing data integrated into the postage indicium does not match the    mailing, then this is either a fraudulent franking or else a fantasy    marking or smear. The mailing has to be sent over to the payment    assurance system.-   12. In the mail center, the random number and the loading procedure    identification number, which were transmitted to the customer system    within the framework of with the account amount are decrypted. For    this purpose, only one single (symmetrical) key is needed in the    mail center. If individual keys were used, however, a plurality of    keys would have to be used.-   13. In the mail center, a hash value is formed by means of the same    process on the basis of the following information:    -   excerpts from the mailing data,    -   the decrypted random number,    -   the decrypted loading procedure identification number.-   14. In the mail center, the self-generated and the transmitted hash    value are compared. If they both match, then the transmitted hash    value was formed with the same random number that was also    transmitted to the value transfer center within the scope of loading    the account amount. Consequently, this is a real, valid account    amount as well as mailing data that was communicated to the security    module (validity verification). As far as the effort is concerned,    the decryption, the formation of a hash value and the comparison of    two hash values is theoretically the same as that of a signature    verification. However, due to the symmetrical decryption, there is a    time advantage over the signature verification.-   15. Anomalies between loaded account amounts and franking amounts    can be ascertained retrospectively by means of a countercheck in the    background system (verification in terms of mailing duplicates,    balance formation in the background system).

The fundamental security architecture presented does not comprise theseparately secured administration of the account amounts (pursefunction), the security of the communication between the customer systemand the value transfer center, the mutual identification of the customersystem and of the value transfer center, and the initialization for thesecure start-up of a new customer system.

Attacks on the Security Architecture

The described security architecture is secure against attacks throughthe following:

-   -   Third parties cannot use the intercepted (copied) successful        communication between a customer system and the value transfer        center for fraudulent purposes (replay attacks).    -   Third parties or customers cannot simulate a legitimate customer        system vis-à-vis the value transfer center by using a        manipulated customer system. If a third party or a customer        replicates the transmission of a random number and of a safe-box        ID that were not generated within a security module but that        he/she knows, then the loading of the account amounts will fail        either because of the separately executed identification of the        legitimate customer through user name and password, or else        because of the knowledge of the private key of the security        module, which the customer may never know under any        circumstances. (This is why the initialization process for key        generation in the security module and the certification of the        public key have to be properly carried out by the customer        system provider.)    -   Third parties or customers cannot load valid account amounts        into a customer system using a simulated value transfer center.        If a third party or a customer replicates the functionality of        the value transfer center, then this replicated value transfer        center will not succeed in generating an encrypted loading        procedure identification number that can be properly decrypted        in the mail center. Moreover, the certificate of the public key        of the value transfer center cannot be forged.    -   Customers cannot circumvent the value transfer center in order        to create a postage indicium whose loading procedure        identification number is encrypted in such a way that it could        be decrypted in the mail center as being valid.

In order to increase data security, especially during searching, anexhaustive number of random numbers have to be used for forming the hashvalue.

-   -   Therefore, the length of the random number should be as large as        possible, preferably at least 16 bytes (128 bits).    -   The security architecture employed is superior to the prior art        methods, thanks to the possibility of using customer-specific        keys, without it being necessary to keep keys ready in places        intended for decryption, especially in mail centers. This        advantageous embodiment is fundamentally different from the        known systems according to the Information-Based Indicia Program        (IBIP).    -   If no signature verification is carried out like in the IBIP        model, then not much more security would be achieved than with        postage metering by the sender. Moreover, if the fact becomes        known that the digital signatures are not verified, this could        lead to increased misuse. After all, if all of the information        that is used for the plausibility verification is forged with        the intention of fraud, but without adding a valid signature,        then this misuse cannot be recognized, even if it is widespread,        except when spot checks are carried out.        Advantages of the Security Architecture

The following features characterize the described security architecturein comparison to the IBIP model from the United States:

-   -   The actual security is ensured in the systems of the Deutsche        Post (value transfer center, mail center, payment assurance        system) and is thus completely within the sphere of influence of        the Deutsche Post.    -   No signatures are used in the postage indicium, but rather        technically equivalent and equally secure (symmetrically)        encrypted data and hash values are used. For this purpose, in        the simplest case, only a symmetrical key is used that is        exclusively within the sphere of influence of the Deutsche Post        and that is thus easy to replace.    -   In the mail center, a verification of all of the postage indicia        features is possible (instead of on the basis of spot checks).    -   The security concept is based on a simple inherently closed        verification cycle that matches a background system harmonized        with this.    -   The system recognizes even duplicates, which can otherwise        hardly be detected.    -   Invalid fantasy markings can be recognized with great accuracy        using this method.    -   In addition to the plausibility check, with all of the postage        indicia, the loading procedure identification number can be        checked in real time.        Types of Mailing

With PC franking, all of the products of the mailing service providersuch as, for example, “national letter” (including extra services) and“national direct marketing” can be franked by the mailing serviceprovider according to a preceding stipulation.

By the same token, this method can be used for other shipping forms suchas package and express shipments.

The maximum monetary amount that can be loaded via the value transfercenter is set at an appropriate level. The amount can be selecteddepending on the requirement of the customer and on the security needsof the postal service provider. Whereas a monetary amount of severalhundred German marks at the maximum is especially advantageous for useby private customers, large-scale customers require far higher monetaryamounts. An amount in the range of about 500 German marks is suitablefor high-volume private households as well as for free-lancers and smallbusinesses. From a system-related technical standpoint, the value storedin the purse should preferably not exceed twice the value amount.

Incorrectly Franked Mailings

Letters, envelopes, etc. that have already been printed and that areincorrectly franked are credited back to the customer in the form of avalid postage indicium.

Through suitable measures, for example, by stamping mailpieces as theyarrive at the mail center, it is possible to ascertain whether amailpiece has already been delivered. This prevents customers fromgetting already delivered mailpieces back from the recipient and fromsubmitting them to the postal service provider, for example, DeutschePost AG in order to obtain a refund.

The return to a central place of the postal service provider, forexample, Deutsche Post, allows a high degree of payment assurancethrough a comparison of the data with account amounts and this providesknowledge about the most frequent reasons for returns. This might offerthe possibility of fine-tuning by changing the entry prerequisites withthe objective of reducing the return rates.

Validity of Postage Indicia

For purposes of payment assurance, account amounts purchased by thecustomer are valid, for example, for only three months. An indication tothis effect should be included in the agreement with the customer. Iffranking values cannot be used up within 3 months, then the customersystem has to contact the value transfer center for a renewed creationof postage indicia. During this contact, like with the proper loading ofaccount amounts, the remaining amount of an old account amount is addedto a newly issued account amount and made available to the customerunder a new loading procedure identification number.

Special Operational Handling

Fundamentally, the postage indicia can have any desired form in whichthe information contained therein can be reproduced. However, it isadvantageous to configure the postage indicia in such a way that theyhave the form of bar codes, at least in certain areas. With thepresented solution of the 2D bar code and the resultant paymentassurance, the following special features must be taken into accountduring the processing:

PC-franked mailpieces can be dropped off via all drop-off modalities,also via mailboxes.

Compliance with the described security measures is further enhanced byspecifying the approval prerequisites for producers of components of thefranking system that are relevant for the interfaces, especially for theproducers and/or operators of customer systems.

Governing Norms, Standards and Requirements

International Postage Meter Approval Requirements (IPMAR)

Preferably, the regulations in the most recent version of the documenttitled International Postage Meter Approval Requirements (IPMAR), UPUS-30, is applicable as are all norms and standards to which thisdocument makes reference. Compliance with all of the requirements listedthere, to the extent possible, is recommended for the customer system.

Digital Postage Marks: Applications, Security & Design

Fundamentally, the regulations of the current version of the documenttitled Digital Postage Marks: Applications, Security & Design (UPU:Technical Standards Manual) is applicable as are all norms and standardsto which this document makes reference. Compliance with the “normative”content as well as far-reaching observation of the “informative” contentof this document, to the extent possible, is recommended for thecustomer system.

Preferably, rules and regulations of the postal service provider arelikewise applicable.

The data security and the reliability of the system as well as itsuser-friendliness are ensured by approving only those systems thatfulfill all of the statutory regulations as well as all of the norms andstandards of the postal service provider.

Additional Laws, Rules, Regulations, Guidelines, Norms and Standards

Fundamentally, all laws, rules, regulations, guidelines, norms andstandards in their currently valid version that must be observed for thedevelopment and operation of a technical customer system in the actualexecution are applicable.

Technical System Interoperability

Technical system interoperability relates to the functionality of theinterfaces of the customer system, or to the compliance with thespecifications set forth in the interface descriptions.

Accounting Interface

Communication Path, Protocols

The communication via the accounting interface preferably takes placevia the public Internet or the basis of the TCP/IP and HTTP protocols.The data exchange can optionally be encrypted per HTTP via SSL (https).The target process of a necessary transmission is depicted here.

To the extent possible, the data exchange preferably takes place viaHTML-coded and XML-coded files. The text and graphic contents of theHTML pages should be displayed in the customer system.

In the case of communication pages, it seems advisable to turn to awell-established HTML version and to dispense with the use of frames,embedded objects (Applets, ActiveX, etc.) and optionally animated GIFs.

Sign-On to Load an Account Amount (First Transmission from the SecurityModule to the Value Transfer Center)

Within the scope of the first transmission from the security module tothe value transfer center, the certificate of the security module aswell as an action indicator A are transmitted in non-encrypted andunsigned form.

Acknowledgement of the Sign-On (First Response from the Value TransferCenter to the Security Module)

The acknowledgement of the value transfer center contains the valuetransfer center's own certificate, an encrypted session key and thedigital signature of the encrypted session key.

Second Transmission from the Security Module to the Value TransferCenter

Within the scope of this transmission, the security module transmits thenewly encrypted session key, the encrypted random number and theencrypted data record with utilization data (level of a previouslyloaded account amount, remaining value of the current account amount,ascending register of all account amounts, last loading procedureidentification number) to the value transfer center (all asymmetricallyencrypted with the public key of the value transfer center). At the sametime, the security module transmits the digital signature of thisencrypted data to the value transfer center. Simultaneously, thecustomer system can transmit additional, non-encrypted and unsignedutilization journals or utilization profiles to the value transfercenter.

It is advantageous for the utilization data to be entered into autilization journal and for the utilization journal and/or the entriesrecorded therein to be digitally signed.

Second Response from the Value Transfer Center to the Security Module

The value transfer center transmits the symmetrically encrypted randomnumber and the symmetrically encrypted loading procedure identificationnumber to the security module. Moreover, the value transfer centertransmits to the security module the loading procedure identificationnumber, log-in information for the security module as well as a newsession key, which have been encrypted with the public key of thesecurity module. All of the transmitted data is also digitally signed.

Third Transmission from the Security Module to the Value Transfer Center

Within the scope of the third transmission, the security moduletransmits the new session key, the new loading procedure identificationnumber together with utilization data to confirm successfulcommunication, all in encrypted and digitally signed form, to the valuetransfer center.

Third Response from the Value Transfer Center to the Security Module

In the third response, the value transfer center acknowledges thesuccess of the transmission without the use of cryptographic methods.

De-Installation

The option of de-installation of the customer system by the customermust be possible.

The detailed technical description of the accounting interface ispresented with the concept of the postal authority's own value transfercenter.

Utilization Journal and Utilization Profile

In the customer system, within the scope of each generation of a postageindicium, a journal entry has to be generated that must contain allinformation about each postage indicium—provided with a digitalsignature of the security module. Moreover, each error status of thesecurity module has to be recorded in the journal in such a way that themanual deletion of this entry is noticed during the verificationprocedure.

The utilization profile contains a prepared summary of the utilizationdata since the last communication with the value transfer center.

If a customer system is divided into a component located at the premisesof the customer as well as a central component (e.g. in the Internet),then the utilization profile has to be maintained in the centralcomponent.

Postage Indicium Interface

Components and Execution

The customer system has to be capable of creating PC indicia thatcorrespond precisely to the specifications of the Deutsche Post, or tothe framework of the commonly used CEN and UPU standards.

PC indicia preferably consist of the following three elements;

-   -   A two-dimensional line code, bar code or matrix code, in which        mailing-specific information is depicted in machine-readable        form. (Purpose: automation in the processing and in the payment        assurance system of the Deutsche Post.)    -   Plain text showing important parts of the bar code information        in readable form. (Purpose: control option for the customer in        the processing and in the payment assurance system of the        Deutsche Post.)    -   A logo identifying the postal service provider, for example, the        Deutsche Post such as, for example, the typical coach horn of        the German Postal System.        Specification of the Data Content

Advantageously, the bar code and the plain text of the PC postageindicium contain the following information:

TABLE Content of the PC postage indicium In bar In plain Size code text(bytes) Type Remark 1 Postal service yes No 3 Binary e.g. Deutscheprovider Post 2 Type of mailing Yes No 1 Binary e.g. PC franking 3Version and Yes No 1 Binary price/product version 4 Crypto-algorithm YesNo 1 Binary e.g. TIDES, ID 128 bit 5 Loading procedure Yes 16 Binaryidentification number (encrypted) producer model serial no. consecutivespecification amount currency valid until redundancy 6 Random number YesNo 16 Binary (encrypted) 7 Consecutive Yes Yes 3 Binary Relative tomailing no. the security module 8a Type of product Yes Yes 2 BinaryIncluding additional services-in plain text only for types of mailing atreduced rates (e.g. infor- mation letter) 8b Mailing form No Yes —Binary Type of mailing or special mailing form 9 Payment Yes Yes 2Binary Plain text in ASCII 10 Franking date Yes Yes 3 Binary 11 Postalcode of the Yes No 3 Binary recipient 12 Street/P.O. box Yes No 6 ASCIIFirst and last of the recipient three items of the address 13 Remainingvalue Yes No 3 Binary of the value amount 14 Hash value Yes No 20 BinarySHA-1

Only the content of the postage indicium is described here. Therequirements of the postal service provider retain their validity forthe content of the address data.

Specification of the Physical Appearance on Paper (Layout)

The postage indicium is advantageously applied in the address field soas to be left-aligned above the address on the mailpiece.

The address field is specified in most recent valid version of thestandards of the postal service provider. In this manner, the followingpostage indicia are made possible:

-   -   imprint on the envelope    -   imprint on adhesive labels or    -   use of window envelopes in such a way that the imprint on the        letter is completely visible through the window.

The following preferably applies to the individual elements of thepostage indicium:

-   -   Firstly, the bar code of the data matrix type is used; its        individual pixels should have an edge length of at least 0.5 mm.        -   In view of the reading-related technical prerequisites, it            is preferable to use a 2D bar code in the form of the data            matrix with a minimum pixel size of 0.5 mm. An optionally            advantageous option is to reduce the pixel size to 0.3 mm.    -   With a representation size of 0.5 mm per pixel, the edge length        of the entire bar code is about 18 mm to 20 mm when all of the        data is integrated as described. If bar codes with a pixel size        of 0.3 mm can be read in the address reading machine, then the        edge length can be reduced to 13 mm.    -   A subsequent expansion of the specifications to the use of        another bar code (e.g. Aztec) with the same data contents is        possible.

A preferred embodiment of the layout and of the positioning of theindividual elements of the postage indicium is shown by way of anexample below in FIG. 5.

The “most critical” dimension is the height of the depicted window of awindow envelope that measures 45 mm×90 mm in size. Here, a DataMatrixcode with an edge length of about 13 mm is shown which, when theproposed data fields are used, is only possible with a pixel resolutionof 0.3 mm. In terms of the available height, a code with an edge lengthof 24 mm does not leave sufficient space for information about theaddress.

Printing Quality and Readability

The flawless imprint of the postage indicium is the responsibility ofthe producer of the customer system within the scope of the approvalprocedure as well as the responsibility of the customer during thesubsequent operations. For this purpose, the customer should be providedwith suitable information in a user's manual and in a help system. Thisapplies especially to the aspects of neatly adhering the labels and topreventing (parts of) the postage indicium from shifting outside of thevisible area of window envelopes.

The machine-readability of postage indicia depends on the printingresolution used as well as on the contrast. If colors other than blackare going to be used, then the reading rate can be expected to be lower.It can be assumed that the requisite reading rate can be met if aresolution of 300 dpi (dots per inch) is used in the printer along witha high printing contrast, this corresponds to about 120 pixels percentimeter.

Test Imprints

The customer system has to be capable of creating postage indicia whoseappearance and size match valid postage indicia, but that are notintended for mailing but rather for test imprints and fine adjustmentsof the printer.

Preferably, the customer system is configured in such a way that thetest imprints can be distinguished from actual postage indicia in amanner that the postal service provider can readily recognize. For thispurpose, for example, the words “SAMPLE—do not mail” can be printed inthe middle of the postage indicium. At least two-thirds of the bar codeshould be rendered unrecognizable by the words or in some other manner.

Aside from real (paid) postage indicia, except for specially marked testimprints, no blank imprints may be made.

Requirements of the Customer System

Basic System

Overview and Functionality

The basic system serves as a link between the other components of the PCfranking, namely, the value transfer center, the security module, theprinter and the customer. It consists of one or ore computer systems,for example, PCs, that can optionally also be networked with each other.

A representation of the entire system is shown in FIG. 6.

The basic system also ensures the convenient utilization of the entiresystem by the customer.

Requirements of the Structure and the Security

The basic system preferably has four interfaces:

-   1. The communication with the value transfer center takes place via    the already described accounting interface.-   2. Via an interface to the security module, all of the information    is exchanged that has to be communicated to the security module    (account amount, or loading procedure identification number,    mailing-specific data on individual franking operations). Moreover,    all data (cryptographically processed data) is exchanged with the    security module via these interfaces.-   3. The printer is actuated by an interface to the printer.-   4. Via an interface to the user or to the customer (Graphical User    Interface, GUI), the user must be able to initiate all relevant    processes in the most ergonomic manner possible.

Moreover, the following data has to be stored and processed in the basicsystem:

-   -   user-specific settings/data,    -   detailed utilization journals and utilization profiles,    -   when SSL is used: interchangeable certificates with which the        validity of the SSL certificates can be verified and    -   all relevant information about the products and prices of the        postal service provider.        Functional Scope and Sequences

The basic system preferably supports the following sequences:

-   -   a first installation with user help,    -   user identification, especially vis-à-vis the security module;        optionally with different authorizations for loading account        amounts and for creating postage indicia,    -   optionally, administration of several users,    -   user support while loading account amounts (here, support in the        reproduction of information that is transmitted by the value        transfer center in the form of HTML-coded files),    -   user support when problems apse during the loading of account        amounts,    -   transparent administration of the value amount (account        overview) for the user,    -   administration of utilization journals, preparation of        utilization profiles and transmission of utilization journals or        utilization profiles,    -   user support in creating and printing out the postage indicium        (illustration of a sample of the postage indicium to be printed        on the monitor—WYSIWYG),    -   plausibility-based payment computation according to service        information of the Deutsche Post,    -   electronic help system,    -   automatic updating of the relevant information about the        products and prices of the Deutsche Post in case of changes as        well as information for the customer on update that is taking        place or has been completed,    -   technical prevention of multiple imprints of one and the same        postage indicium and    -   de-installation of the customer system.        Security Module        Task and Security Level

As a “cryptographic module” as defined in FIPS PUB 140, SecurityRequirements for Cryptographic Modules, the security module ensures theactual security of the customer system. It consists of hardware,software, firmware or a combination thereof and encompasses thecryptographic logic and the cryptographic processes, that is to say, theadministration and application of cryptographic processes as well as themanipulation-proof storage of the value amount. The requirements thatthe security module must comply with are defined

-   -   in terms of the security standard, by appropriate norms such as,        for example, FIPS PUB 140 and    -   in terms of compliance with postal standards, by the UPU        publication based on FIPS PUB 140 “International Postage Meter        Approval Requirements (IPMAR)”.

For introduction into and operation in a customer system, a securitymodule has to be appropriately certified as a cryptographic module asset forth in FIPS PUB 140—preferably in accordance with Security Level3—within the scope of the introduction process.

Processes of the Security Module

For purposes of initialization and for communication with the valuetransfer center and for deactivation, in addition to the regularoperations, the security module should preferably support essentiallythe following processes, which are described in detail in the back partof the Technical Description Appendix:

-   -   key generation    -   issuance of the public key    -   certificate storage    -   signature generation    -   signature verification    -   certificate verification    -   temporary certificate storage    -   asymmetrical encryption    -   asymmetrical decryption    -   random number generation    -   storage of a session key    -   storage of two loading procedure identification numbers    -   storage of the current register value of the account amounts    -   storage of the ascending register value    -   user identification    -   status output of the validity of the account amounts    -   status output of the register value of the account amounts    -   hash formation of the mailing-specific data    -   reduction of the register values of loaded account amounts    -   recording of errors in a journal    -   self-test    -   deactivation        Test Imprints

The security module is not used during the test imprint and isconsequently not contacted.

Printer

Depending on the specifications of the producer, the printer can beeither a commercially available standard printer or a special printer.

The vast majority of today's laser and inkjet printers shouldfundamentally be suitable for PC franking Printers with a resolution ofat least 300 dpi are recommended.

Processes within the Customer System

Sequence of Creating Postage Indicia

Through the customer system, the customer carries out the followingpartial processes in the creation of postage indicia:

-   -   Set-up of the connection to the security module: a connection to        the security module is established via the basic system.    -   Identification of the user: the user identifies himself/herself        to the security module personally with the password/PIN, thereby        activating it.    -   Input of the mailing-specific information: with the assistance        of the system, the customer enters the necessary        mailing-specification information into the basic system, which        transmits the essential data to the security module.    -   Creation of the postage indicium: the basic system uses the        mailing-specific data and the cryptographically processed data        from the security module to create a postage indicium.    -   Recording the creation of postage indicia in the journal: each        successful retransmission is recorded in a utilization journal        of the basic system. If a customer system is divided into a        local component situated at the premises of the customer as well        as a central component (e.g. in the Internet), then the        utilization journal has to be recorded in the central component.    -   Termination of the communication connection: once all of the        requested postage indicia have been created, the communication        connection is terminated once again. When postage indicia are to        be created again, the user identification—as described above—has        to be carried out again.    -   Test imprints: As an alternative to this approach, it is        possible to allow the user guidance to advance to such an extent        that a sample of a postage indicium is depicted on the terminal        (WYSIWYG) and a (non-valid) test imprint can be printed out.        Here, only in a later stage would the above-mentioned process of        incorporation of the security module take place.

The use of the technical system is complemented by practicalorganizational measures so that a multiple mailing of a postageindicium, which can be technically registered, is also viewed as aviolation of the terms and conditions of the sender.

Furthermore, it is advantageous to provide suitable technical parametersfor printing out the postage indicia, especially in terms of theprinting quality, so that the postage indicia can be better read inautomatic reading devices.

Suitable quality assurance systems, especially according to the ISO 9001ff. standards, can be used as the basis for checking the system.

1. A method for providing mailpieces with postage indicia, comprisingproviding a customer system which interacts with a customer to regulatea loading and a storing of account amounts of the customer; generatingand storing by a security module of the customer system a random number;combining and encrypting by the security module the random number and anidentification number of the security module transmitting by thesecurity module the encrypted random number and identification number ofthe security module to a value transfer center; decrypting by the valuetransfer center the encrypted random number and the identificationnumber of the security module; assigning by the value transfer centerthe identification number of the security module to the customer in apostage application database; forming by the value transfer center aloading procedure identification number that contains the identificationnumber of the security module and an actual account amount of thecustomer; encrypting by the value transfer center the decrypted randomnumber together with the loading procedure identification numbertransmitting by the value transfer center the encrypted random numberand the encrypted loading procedure identification number to thecustomer system; forming by the security module, a hash value of aportion of the mailing data, the random number and the loading procedureidentification number; creating by the customer system a postageindicium using the portion of the mailing data, the encrypted randomnumber, encrypted loading procedure identification number and the hashvalue; and printing by the customer system postage indicium which isapplied to the mailpieces.
 2. The method according to claim 1, includingsigning in the customer system data with a private key.
 3. The methodaccording to claim 2, including storing the private key in the securitymodule.
 4. The method according to claim 1, including transmitting datafrom the customer system to the value transfer center at the time ofeach request for a monetary amount.
 5. The method according to claim 4,including identifying in the value transfer center the customer systemon the basis of the transmitted data.
 6. The method according to claim1, including decrypting a part of data by the customer system whichcontains information about identity of the customer system.
 7. Themethod according to claim 1, including decrypting a part of data by thecustomer system which contains information about actual monetary amount.8. The method according to claim 1, including containing in the postageindicium information transmitted by the value transfer center as well asdata entered by the user of the customer system.
 9. The method accordingto claim 1, including entering the encrypted random number in theformation of the loading procedure identification number.
 10. The methodaccording to claim 1, including transmitting the loading procedureidentification number to the security module.
 11. The method accordingto claim 1, including verifying the validity of postage indicia in amail center.
 12. The method according to claim 11, including performingthe verification in the mail center by an analysis of data contained inthe postage indicium.
 13. The method according to claim 11, includingforming in a verification station of the mail center a self-generatedhash value and checking whether the self-generated hash value matchesthe hash value and, if it does not match, then registering the postageindicium is registered as being forged.